Integrate Endor Labs with Microsoft Entra ID (formerly Azure Active Directory) to use SSO through OpenID Connect (OIDC) protocol.
Note
Endor Labs honors the session duration set in OIDC, after which the user needs to reauthenticate. The token expiration claims (exp) control the session duration in OIDC. If your token does not include an expiration claim, the session duration defaults to four hours. The session duration cannot exceed four hours. If you set a session duration for more than four hours in the token expiration claim, the session duration defaults to four hours.
Complete the following tasks to configure Microsoft Entra ID for SSO through OIDC:
Note
You must have administrator access to configure the application end-to-end in Azure.Create and configure an OIDC application in Azure
Set up an application in Azure to enable OIDC configuration with Endor Labs.
- Sign in to the Azure portal.
- Navigate to App Registrations.
- Click New Registration to create a new application.
- Enter
Endor Labs OIDCas the name of your application. - Under Supported Account Types, select Accounts in this organizational directory only (Single tenant).
- Select Web as the platform under Redirect URI, then enter
https://api.endorlabs.com/v1/auth/oidc/callbackas the value. - Click Register.
- Once you’ve set up your application, navigate to Authentication in your application.
- Enter
https://api.endorlabs.com/v1/auth/oidc/logoutin Front-channel logout URL. - Click Save.
Configure token claims in your application
Once you’ve created your application, you need to configure token claims to identify and authorize users.
- Navigate to Manage > Token configuration in your application.
- Select Add optional claim.
- Choose ID as the Token type.
- Select email and upn (User Principal Token) from the claims.
- Click Add.
- To use groups, select Add groups claim.
- Choose Security groups to limit the scope to groups assigned to the application.
- Choose Group ID as the Token type.
- Click Save.
Create a client secret
Create a client secret to allow Endor Labs to securely authenticate with the application.
- Navigate to Manage > Certificates & secrets in your application.
- Select New client secret.
- Enter a description and select the expiry of the client secret.
- Click Add.
- Copy the Value immediately and store it in a secure location.
Collect required values
To configure the custom identity provider in Endor Labs, you must retrieve the Application (client) ID and Directory (tenant) ID from your Azure application.
- Navigate to App Registrations.
- Select your application.
- Select Overview from the left sidebar.
- Copy the Application (client) ID and Directory (tenant) ID.
Create Entra ID SSO in Endor Labs
Provide the Identity Provider details to configure Microsoft Entra ID in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
Note
You must be an Endor Labs administrator to configure custom identity providers and authorization policies.-
Sign in to Endor Labs.
-
Select Access Control under Manage in the left sidebar.
-
Select Customer Identity Provider.
-
Select the TYPE OF IDENTITY PROVIDER as OIDC.
-
Enter the IDENTITY PROVIDER NAME as Microsoft Entra ID.
-
In the DISCOVERY URL enter your discovery URL. This typically consists of your Directory (tenant) ID followed by
/.well-known/openid-configuration.For example,
https://login.microsoftonline.com/abcd1234-5678-90ef-ghij-1234567890kl/v2.0/.well-known/openid-configuration. -
Enter the client ID and client secret from Azure that you copied earlier.
-
Under Advanced Configuration, enter the following in scopes: email, openid, and profile. Press enter after every entry to add each attribute successfully.
-
If you are configuring group-based authentication ensure to add groups in claim names.
-
Click Save Configuration.
Note
Based on your Microsoft Entra ID configuration, you may need additional Azure claim names as scopes in Endor Labs. Consult your Microsoft administrator for additional guidance.Configure your Authorization Policy
Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups.
To set up an authorization policy:
- Sign in to Endor Labs.
- Select Access Control > Auth Policy from the left sidebar.
- Select Add Auth Policy.
- Enter Microsoft Entra ID as your identity provider.
- Select the permissions you’d like to assign your user or group.
- Under claims update your Key. Use email to assign individual users through email or groups to assign a user by group.
- Assign the value to the key as the email of the user or group id you would like to authorize. This value is case-sensitive.
- Repeat as needed for any additional users or groups.